I am using Ghost as a blogging platform and nginx as a reverse proxy for ghost as detailed in the documentation. Ghost is installed in a subdirectory and is served over the domain http://example.com/blog whereas the static website is served over example.com
I have set up SSL on my server and want to serve the ghost login page (example.com/blog/ghost) over SSL while serving the rest of the pages over normal HTTP. However if I use forceAdminSSL:true and try to go to http://example.com/blog/ghost it should automatically redirect me to https://example.com/blog/ghost. Instead I'm redirected to https://example.com/ghost and end up with 404 error. The only work around I have found that works is to use foreAdminSSL:{redirect:false} which is clumsy because then I have to manually type https in the address bar instead of http.
How do I server Ghost Admin panel over ssl while ghost is installed in a subdirectory? I guess this has something to do with configuration in nginx.
My nginx config block
server {
listen 80;
listen 443 ;
server_name *.example.com;
server_name example.com;
ssl on;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/key.key;
location ^~/blog {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:2786;
proxy_redirect off;
}
location / {
root "/home/ubuntu/somedirectory/";
index index.html;
}
I think you haven't entered the config URL while setting up Ghost correctly.
You can do this by running the following commands:
ghost config URL https://my-domain.com/blog/
ghost restart
If this doesn't solve the problem, you can check out a detailed tutorial, solving this issue, on my blog here
Related
I installed Harbor in a server inside the company farm and I can use it without problem through https://my-internal-server.com/harbor.
I tried to add the reverse proxy rules to Apache to access it through the public server for harbor, v2, chartrepo, service endpoints, like https://my-public-server.com/harbor, but this doesn't work.
For example:
ProxyPass /harbor https://eslregistry.eng.it/harbor
ProxyPassReverse /harbor https://eslregistry.eng.it/harbor
I also set in harbor.yaml:
external_url: https://my-public-server.com
When I try to access to https://my-public-server.com/harbor with the browser I see a Loading... page and 404 errors for static resources because it tries to get them with this GET:
https://my-public-server.com/scripts.a459d5a2820e9a99.js
How can I configure it to work?
You should pass the whole domain, not only the path. Take a look at the official Nginx config to have an idea how this might look like.
upstream harbor {
server harbor_proxy_ip:8080;
}
server {
listen 443 ssl;
server_name harbor.mycomp.com;
ssl_certificate /etc/nginx/conf.d/mycomp.com.crt;
ssl_certificate_key /etc/nginx/conf.d/mycomp.com.key;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_pass http://harbor/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
Note that you should disable proxy or buffering
I'm having a problem with a nginx configuration which I use as a reverse proxy for different containerized applications.
Basically Nginx is listening on port 80 and is redirecting every request to https. On different subdomains I'll then proxy pass to the port of the applications.
For example my gitlab config:
server {
listen 443 ssl; # managed by Certbot
server_name gitlab.foo.de www.gitlab.foo.de;
location /{
proxy_pass http://localhost:1080;
}
I'm redirecting to the gitlab http (not https) port. The systems nginx is taking care of SSL, I don't care if the traffic behind is encrypted or not.
This has been working for every app since yesterday.
I'd like to test https://github.com/bitnami/bitnami-docker-osclass for an honorary association. Same config as above but it is not working as intended.
Ressources are downloaded via https while the main page is getting a redirect to http.
Exmaple: https://osclass.foo.de --> redirect --> http://osclass.foo.de:1234/ (yes with the port in the domain which is very strange)
I don't get why? So I changed the config a little to:
server {
listen 443 ssl; # managed by Certbot
server_name osclass.foo.de www.osclass.foo.de;
location /{
proxy_pass http://localhost:1234;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Now the mainpage is loaded via https and I don't have the port in my domain anymore. But the whole page is broken because no ressources will be loaded due to
"mixed-content warning".
SEC7111: [Mixed-Content] Origin "https://osclass.foo.de" [...] "http://osclass.foo.de/oc-includes/osclass/assets/js/fineuploader/fineuploader.css"
Do I have a conflict with the integrated apache in the docker image or what am I doing wrong?
Any hints are appretiated!
Kind regards from Berlin!
I found a solution to fix the mixed content problem. I just edited the following line in
/opt/bitnami/osclass/config.php
# define('WEB_PATH', 'http://osclass.foo.de/');
define('WEB_PATH', 'https://osclass.foo.de/'); # with https
I have a server in windows using Plesk.
I have a domain (example.com), also I bought a SSL certificate for this domain.
I just installed successfully and configure the domain and ssl in my server. So now I can join to my web using https://www.example.com or example.com and will be redirect to https://....
Until that everything works fine.
But now I have been developed an API in GoLang which can’t start to listen at 443 port for some reason. (I thought that maybe because is being already used ?) So I changed to 8081 port. Now when I want to make a request to my API I have to use https://www.example.com:8081/api/v1/users for example.
The problem is that some applications show me a error “Certificate invalid” which I think is because the port is not 443. Is there any way that I can run go in 443?
The code in GO is this: (The crt and key are the ones provided by GoDaddy, is where I bought the SSL)
func main() {
router := NewRouter()
handler := cors.AllowAll().Handler(router)
log.Fatal(http.ListenAndServeTLS(":8081", "tls.crt", "tls.key", handler))
}
Run the whole Golang application behind nginx (reverse proxy):
Create a Virtual Host Server Block in Nginx using your domain.
https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-virtual-hosts-on-ubuntu-16-04
Setup your SSL certs
Point that domain to your Golang App
server {
server_name example.com;
location / {
proxy_pass http://localhost:8081;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
proxy_pass_request_headers on;
proxy_read_timeout 150;
}
ssl_certificate /path/to/chainfile/example.com/abcd.pem;
ssl_certificate_key /path/to/privatekeyfile/example.com/abcd.pem;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
We have an app that uploads automatically generated SSL certificate to our NGINX load balancers. One time the we had this issue that a "bad certificate" got uploaded and then a automated nginx reload is thereafter executed, our server went offline for a while causing DNS issues (DNS not found) for our server domain. Causing a huge downtime to our clients.
However it is a feature / function in our application to allow apps to upload SSL cerficate and our backend server installs it automatically, is there a way to tell to ignore bad NGINX conf files and crt/key's altogether? Looking at the before logs I can remember that I saw something like SSL handshake error before the incident.
Here's how our main nginx-jelastic.conf looks like:
######## HTTP SECTION PROTOTYPE ########
http {
server_tokens off ;
### other settings hidden for simplicity
include /etc/nginx/conf.d/*.conf;
}
######## TCP SECTION PROTOTYPE ########
So what I am thinking if it's possible for nginx to just ignore all bad NGINX conf files that is located there. Here's a sample of what gets uploaded in the conf.d folder:
#
www.example-domain.com HTTPS server configuration
#
server {
listen 443 ssl;
server_name www.example-domain.com;
ssl_certificate /var/lib/nginx/ssl/www.example-domain.com.crt;
ssl_certificate_key /var/lib/nginx/ssl/www.example-domain.com.key;
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
proxy_temp_path /var/nginx/tmp/;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location / {
set $upstream_name common;
include conf.d/ssl.upstreams.inc;
proxy_pass http://$upstream_name;
proxy_next_upstream error;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Host $http_host;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header X-URI $uri;
proxy_set_header X-ARGS $args;
proxy_set_header Refer $http_refer;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
For some reason the certificate and key indicated in the configuration could be wrong, that that is going to wreck the nginx server and since our domain is pointed to this server via A record, it us a total disaster if the nginx fails as DNS issues happens and it could take 24-48 hours for DNS to get back.
I am configuring nginx at port 80 as proxy server to Apache server on port 8080, using Centos 7.
I successfully configure both for http, but after installing lets encrypt certificate for Apache, I see Apache is directly receiving traffic for https. I tried to make nginx receive traffic for all HTTP and HTTPS, but face issue,
I do a lot of changes like disable apache to listen on port 443, and only listen to 8080.
I configure nginx to listen both at 80 and 443, additionally I remove certificate for apache and add to nginx configuration files. currently.
nginx configuration is as follow:
server {
listen 80;
listen [::]:80 default_server;
#server_name _;
server_name www.example.com;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://my.server.ip.add:8080;
root /usr/share/nginx/html;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 443 default_server;
server_name www.example.com;
root /usr/share/nginx/html;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.example.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#ssl_dhparam /etc/pki/nginx/dh2048.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA--REMOVED-SOME-HERE-SHA';
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
Note: I am using php 7.0
currently site is working on both https and http with 1 known issue i.e. User images are not loading. but I am not sure it is served by apache or nginx, in RESPONSE I can see "nginx/1.10.2"
What I was actually going to implement: I was trying to run both
node.js and apache using nginx. I donot start node yet.
My questions:
Is it really beneficial to use nginx in front and apache at the backend? (I read it protect from dDos attacks).
Where should we put certificate at nginx or apache?
How can I add node.js in nginx configuration? I already installed node js.
What can be best configuration of using both nginx and apache?
Good evening,
First of all all the considerations you have made at the infrastructure level are very good and in my opinion the proxy configuration despite the difficulties of implementation at this time is the best.
I've been using it for some time now and the benefits are enormous. However, I would like to ask you what type of cloud infrastructure you are using because there are so many things that change depending on the technical infrastructure. For example, I use only Google Cloud Platform that is completely different from CloudFlare or Other AWS.
The configuration made is too articulated and unclear from the point of view of the structure. You should try this way:First, enter the http context with the upstream domain name directive and inside the server IP address with Apache, and then make declarations for server and location contexts by including the parameters of the proxy_params file and snippet ssl.
If you want and help me understand the infrastructure we adopt, we can see how to make the configuration together but so it is imminent because each infrastructure responds to a different configuration.
It also applies to php7.0. For example, configuring PrestaShop 1.7.1.1 with php7.0 I had to make a lot of changes to the php.ini code of the CMS as I did not use CGI in FPM but this as I said was very varied.
see https://www.webfoobar.com/node/35